What are the compensating controls given BitBucket Cloud data is not encrypted at rest

Kyle September 29, 2020

We are Jira and Confluence cloud users and are evaluating migrating from an on-premise Git hosting solution to BitBucket cloud. Atlassian's Security practices page states "Bitbucket does not offer encryption at rest for repositories at this time." Competing platforms github.com and gitlab.com have both added encryption at rest to their platforms within the past two years.

We could be fine with no encryption at rest provided there are compensating controls to assure the confidentiality and integrity of our data. Can anyone provide specific information about compensating controls that Atlassian follows to ensure that:

  • our repositories are not accessible to other tenants on the platform
  • our repositories are not  accessible to Atlassian staff other than those authorized to access it for support and operational purposes
  • backups of the unencrypted repositories are managed to prevent disclosure

Thanks for your help with our evaluation.

 

2 comments

Comment

Log in or Sign up to comment
Rabbit September 29, 2020

In my experience, you can't even access the repositories of your own employees unless they're on managed accounts. We had a company owned workspace that I had to go to great lengths to regain ownership for, because the person who had created it had left. Also, even if you are invited to a workspace, you cannot see any repos in it unless you are added to a group which has access to the specific repository. In this way, your repos aren't even visible to bitbucket accounts at your company unless explicitly granted by an admin, whether through the UI or command line. 

 

Hope this helps; I'm sure an actual Atlassian will be able to confirm on the backups issue, which is the one I am not sure about.

blisteringbarnacles September 29, 2020

Hi Kyle,

 

I also struggled with these asks from CISO & Compliance.

The compensation controls can by found in SOC 2 & 3 reports, in addition to Cloud Security Alliance, Self-assessment filed by Atlassian.  here>>

https://content-production.star.watch/atlassian/documents/2020-07-16_Bitbucket_CSA_Update_2020-07_2ug00EbF_added_20200716-1869-qhh9op.zip?1594931205

 

Interestingly while searching for these, i also went through github's self assessment

here

This is what github says, Row 90 in the self assessment

"Repository backup data is encrypted in storage; data is encrypted with github keys and then stored. Data in Production environment is not encrypted at rest "

Dont know what to make of it, given this is opposite of what is stated publicly

but it was sufficient to make this an equalizer for this specific security requirement.

 

Hope this was helpful.

TAGS
AUG Leaders

Atlassian Community Events